Red Line Drawn: China Recalculates Its Use of Cyber Espionage

On Sept. 25, 2015, President Barack Obama and Chinese President Xi Jinping agreed that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property” for an economic advantage. Some observers hailed the agreement as a game changer for U.S. and Chinese relations, while skeptics saw this as little more than a diplomatic formality unlikely to stymie years of state-sponsoredintellectual property theft. Since the agreement, there has been much discussion and speculation as to what impact, if any, it would have on Chinese cyber operations.

To investigate this question, FireEye iSIGHT Intelligence reviewed the activity of 72 groups that we suspect are operating in China or otherwise supporting Chinese state interests. Going back nearly three and a half years to early 2013, our analysis paints a complex picture, leading us to assess that a range of political, economic, and other forces were contributing to a shift in Chinese cyber operations more than a year prior to the Xi-Obama agreement.

Between September 2015 and June 2016, we observed 13 active China-based groups conduct multiple instances of network compromise against corporations in the U.S., Europe, and Japan. During this same timeframe, other China-based groups targeted organizations in Russia and the Asia Pacific region. However, since mid-2014, we have observed an overall decrease in successful network compromises by China-based groups against organizations in the U.S. and 25 other countries. These shifts have coincided with ongoing political and military reforms in China, widespread exposure of Chinese cyber activity, and unprecedented action by the U.S. government.